Snort mailing list archives
Re: Eliminating rulesets
From: Jeff Elkins <jeff () elkins org>
Date: Sat, 9 Feb 2002 21:30:14 -0500
Thanks Phil :) (six-pack of virtual Beck's dark for you :) Jeff On Saturday 09 February 2002 08:11 pm, Phil Wood wrote:
Hmm, On Sat, Feb 09, 2002 at 07:26:41PM -0500, Jeff Elkins wrote:Thanks. I'll research invert before I repost. Wouldn't want to make someone drink an extra beer :)% dict invert v 1: make an inversion (in a musical composition); "here the theme is inverted" 2: turn inside out or upside down [syn: {reverse}] What I meant to say was fix up a rules file which looks for attacks going out from your site. An easy way would be to: % sed -e 's/EXTERNAL_NET/XXX_NET/' -e 's/HOME_NET/EXTERNAL_NET/' < web-iis.rules | sed -e 's/XXX_NET/HOME_NET/' > inverted-web-iis.rules But, check the contents of your {EXTERNAL|HOME}_NET variables first. Also, take another look at the various web alerts that triggered. You might see Forbidden or Connection closed ..., etc. Or, is that another beer...Jeff On Saturday 09 February 2002 06:08 pm, you wrote:On Sat, Feb 09, 2002 at 01:42:42PM -0500, Jeff Elkins wrote:I'm not trying to promote alcohol usage, but I have a newbie question: I'm evaluating Snort on a Linux DSL/firewall box that also serves as a mail server and webserver (Sendmail/Apache). The boxen inside the firewall are all Linux as well. I've commented out the Microsoft-specific rulesets (IIS,Frontpage and Cold Fusion). Other than statistics gathering, is there any reason I'd want them applied?You might want to invert them.I was getting a _bunch_ of IIS alerts before I turned them off, btw. Thanks, Jeff Elkins _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Eliminating rulesets Jeff Elkins (Feb 09)
- Re: Eliminating rulesets Jeff Elkins (Feb 09)
- Re: Eliminating rulesets Phil Wood (Feb 09)
- Re: Eliminating rulesets Jeff Elkins (Feb 09)